A new phishing kit has been observed slipping past MFA on Microsoft 365 without stealing a single password.
The FBI’s Internet Crime Complaint Center warned organizations on May 21 about Kali365, a Phishing-as-a-Service (PhaaS) platform first seen in April 2026 and sold primarily through Telegram.
Rather than harvesting credentials or intercepting MFA codes, Kali365 captures the OAuth tokens that Microsoft 365 issues after a user has successfully signed in, handing attackers persistent access to a victim’s account.
The technique is what makes it dangerous. Most MFA-bypass advice assumes attackers are steering victims toward counterfeit login pages. Kali365 does the opposite: it routes the target through Microsoft’s genuine sign-in flow, so MFA completes normally and the usual phishing tells, like a fake domain or lookalike login page, were absent.
How Device-Code Phishing Works
Kali365 abuses a legitimate feature called the OAuth 2.0 device authorization flow. The flow exists so that input-limited devices including smart TVs, conference room systems, and printers can authenticate by having a user enter a short code on a second device at Microsoft’s device-login page.
The attack inverts the intent. An attacker starts the device authorization themselves to generate a code, then emails it to the victim inside a lure impersonating a cloud or document-sharing service. The victim enters it on Microsoft’s real verification page. That single paste authorizes the attacker’s device.
The victim would then paste in the code, unknowingly authorizing the attacker’s device. Because the sign-in happened on Microsoft’s genuine flow, MFA completed as normal, and Microsoft would issue OAuth access as well as refresh tokens straight to the attacker.
From there, the attacker reached Outlook, Teams, OneDrive, and any SaaS apps linked to the account through single sign-on, all without a password or a further MFA prompt.
Kali365 put account takeover within reach of less-technical attackers. The platform bundled AI-generated phishing lures, automated campaign templates, and real-time dashboards designed to track specific targets.
FBI Recommends Restricting Device-Code Flow and Revoking Active Token Sessions
The FBI’s central recommendation is to restrict the device-code flow itself. It advises creating a conditional access policy to block device code flow for all users, with narrow exceptions for genuine business needs, and auditing existing device-code usage first to identify those dependencies before the policy goes live.
The bureau also recommends blocking authentication transfer policies. Where device-code flow cannot be fully restricted, it advises excluding emergency access accounts to avoid lockouts.
One key detail to note when responding to an incident: because the stolen tokens provide standalone access, a password reset alone does not evict the attacker. Active token sessions have to be revoked.
